Authorization in VK.COM? Or how to salt the hash?

A

Alexander Grishin2015-11-26 10:43:57

In contact with

Alexander Grishin, 2015-11-26 10:43:57

Actually, after authorization, we get a hash.
Next, on the server, to check the authorization, you need this:
app_id+user_id+secret_key
But it turns out that if an attacker receives this hash, then he will be able to log in to my site even if the person has changed the password from his account on my site? So right? If so, what is the solution?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Grishin, 2016-03-09
@beerdy Asker

The solution came up with this:
- Generate a temporary code according to the contact's DOC (one-time)
- Get it on the server and generate an access_token
- Use this access_token to get the user's data and see who he is
- Authorize by long pool

I

IronFil, 2016-03-04
@IronFil

Yes, the solutions are:
1. transfer all information over a secure client-server connection,
2. check the access_token, to reduce requests to the VK api, after successfully checking the access_token, save it in the user account on your server, compare what saved with what the user sent.
But the topic of data compromise on the client side should not be decided by the developer, this is the user's concern.